{"id":453,"date":"2023-01-30T14:23:16","date_gmt":"2023-01-30T12:23:16","guid":{"rendered":"https:\/\/ackeeblockchain.com\/blog\/?p=453"},"modified":"2023-01-30T14:23:16","modified_gmt":"2023-01-30T12:23:16","slug":"2022-solana-hacks-explained-crema-finance","status":"publish","type":"post","link":"https:\/\/ackee.xyz\/blog\/2022-solana-hacks-explained-crema-finance\/","title":{"rendered":"2022 Solana Hacks Explained: Crema Finance"},"content":{"rendered":"

Crema Finance<\/strong><\/a> is a liquidity pool based<\/strong> on CLMM (Concentrated Liquidity Market Maker) that allows<\/strong> liquidity providers to set specific price ranges<\/strong>, add<\/strong> single-sided liquidity<\/strong> and do range order trading<\/strong>. <\/span><\/p>\n

What happened <\/strong><\/p>\n

On July 2, 2022, the pool was subject to an exploit, draining<\/strong> over $8M<\/strong> worth of assets. The hacker used a combination<\/strong> of flash-load<\/strong> and exploitation<\/strong> of owner verification<\/strong>.<\/span><\/p>\n

The project is closed source<\/strong>, so the information about the hack is limited. The only<\/strong> publicly available security audit<\/strong> <\/a>took place in October after<\/strong> the incident.<\/span><\/p>\n

Exploit Details<\/b><\/p>\n

According to Crema Finance’s tweet<\/strong><\/a>, the CLLM depends on a tick account containing information about the price tick data.<\/strong> The attacker created a fake tick<\/strong> account and circumvented<\/strong> the owner check<\/strong> by writing the initialised tick address of the pool into the fake account. After that, he took a flash loan<\/strong> from Solend and used it to deposit liquidity<\/strong> to the Crema liquidity pool. As the tick price<\/strong> is related to the calculation of transaction fees<\/strong>, the attacker was able to claim<\/strong> lots of fees<\/strong> by spoofing in the fake tick account. Finally, he withdrew the original tokens<\/strong> deposited and returned the flash loan<\/strong>.<\/span><\/p>\n

After the incident, Crema Finance suspended the protocol<\/strong> and offered<\/strong> the hacker an $800k<\/strong> white hat bounty<\/strong> via on-chain message<\/a> to the hacker’s Ethereum address. After negotiations, the hacker agreed<\/strong> to take the 45455 SOL<\/strong> bounty (approximately $1.5M at that time) and returned<\/strong> the rest<\/strong> to the protocol.<\/span><\/p>\n

In simple words,<\/b> everything points again to the common problem<\/strong> that the input<\/strong> accounts<\/strong> were not properly checked<\/strong>, similar to the Wormhole<\/a> and Cashio<\/a> cases, however as the protocol is closed source, some details may be missing.\u00a0<\/span><\/p>\n

References<\/strong><\/p>\n

1, <\/a>2<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Crema Finance is a liquidity pool based on CLMM (Concentrated Liquidity Market Maker) that allows liquidity providers to set specific price ranges, add single-sided liquidity and do range order trading. What happened On July 2, 2022, the pool was subject to an exploit, draining over $8M worth of assets. The hacker used a combination of flash-load and exploitation of owner verification. The…<\/p>\n","protected":false},"author":15,"featured_media":454,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[84,5],"tags":[86,6,19],"class_list":["post-453","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacks","category-solana","tag-hack","tag-solana","tag-solana-security"],"aioseo_notices":[],"featured_image_src":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/01\/Crema-600x400.png","featured_image_src_square":"https:\/\/ackee.xyz\/blog\/wp-content\/uploads\/2023\/01\/Crema-600x600.png","author_info":{"display_name":"Aleksandra Yudina","author_link":"https:\/\/ackee.xyz\/blog\/author\/aleksandra-yudina\/"},"_links":{"self":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/453","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/users\/15"}],"replies":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/comments?post=453"}],"version-history":[{"count":0,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/posts\/453\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media\/454"}],"wp:attachment":[{"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/media?parent=453"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/categories?post=453"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ackee.xyz\/blog\/wp-json\/wp\/v2\/tags?post=453"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}